FISMA

The Federal Information Security Management Act of 2002 requires the National Institutes of Science and Technology (NIST) to set standards for information security for the US Federal Government and for organizations that handle Federal data.

Federal Networks must be Certified and Accredited (C&A) annually. This process is summarized in NIST special publication 800-37. The FISMA Compliance Reporter can reduce skilled labor costs for this process by more than 70%. A whitepaper describing the process is located here.

The federal C&A process is risk-driven, using the NIST 800-30 risk assessment protocol. This risk assessment process has been automated. A description of the automation process is available here.